(678) 222-0555

Equifax and TransUnion Breach and You

How can we protect ourselves from malicious attacks?

Since the Equifax data breach of approximately 145.5 million consumers’ personally identifiable information (PII), cyber security incidents have become an increasingly personal threat. This is the biggest data breach in history against a single company; there’s about a 45% chance that your own PII has been compromised. Unfortunately, we rely on companies like Equifax to adequately protect our information from hackers and we often have little to no control over how they manage and protect our information.

 

How can we take active steps to protect ourselves from malicious attacks?

Education. When it comes to phishing, social engineering, and other more advanced attacks targeting sensitive information, we need to be trained how to recognize these threats to protect our information.

Phishing attacks involve unscrupulous emails, text messages, phone calls, and login lookalike websites sent with the purpose of stealing information and are usually sent out in mass. No doubt you’ve seen an email saying something like: “Hello Valued Customer, we have noticed some unusual activity on your account. Please click this link to fix this issue”. Clicking on this link will typically take you to a very real looking but fake login page or may download malicious software.

Social engineering is typically a step up in complexity and involves direct communication with employees or individuals to get them to divulge information through trickery and can involve the same methods as phishing (using phishing methods to specifically target an individual or organization is called spear-phishing). Always be wary when anyone you don’t know is asking for sensitive information such as usernames, email addresses, and passwords even if they claim to have permission. Good social engineers will use names and other information to convince their victims that they are authorized to be given information or access.

One form of an advanced method is called a redirection attack. Hackers can take advantage of a vulnerability in a web address to direct you to a malicious site. This happened just recently on Equifax’s rival TransUnion’s Central American website as well as on Equifax’s own website. Intruders redirected users to a webpage prompting a fake and malicious java download.

If you are ever redirected to another page unexpectedly on any website be cautious.

Never click on anything that you didn’t intend on clicking. If you ever do accidentally download something, contact your IT administrator.

Also, be wary of this technique in phishing emails. A competent phisher may use a spoofed email address (copied to look the same or similar as a legitimate account), realistic looking emails, and redirected or hidden links to trick you. If you’re not expecting the email, be cautious.

Never click a link in an unsolicited email, no matter how realistic it is. If you receive an email about a problem always go directly to the website and check your account there instead of clicking on links.

 

Posted by Nakai Zemer

Edited 10.20.17

 

References:

Vladimir Zakharevich. April 10, 2017. Understanding and Discovering Open Redirect Vulnerabilities.

[https://www.trustwave.com/Resources/SpiderLabs-Blog/Understanding-and-Discovering-Open-Redirect-Vulnerabilities/]

Accessed October 16, 2017.

 

Seena Gressin. Attorney, Division of Consumer & Business Education, FTC. September 8, 2017.

The Equifax Data Breach: What to Do.

[https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do].

Accessed October 16, 2017.

 

Dan Goodin. October 12, 2017. Equifax rival TransUnion also sends site visitors to malicious pages.

[https://arstechnica.com/information-technology/2017/10/equifax-rival-transunion-also-sends-site-visitors-to-malicious-pages/]

Accessed October 16, 2017

 

Dan Goudin. October 12, 2017. Equifax website borked again, this time to redirect to fake Flash update.

[https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/]

Accessed October 16, 2017.